access-list to prevent access to vlan 1 to vlan 2 and vlan 2 vlan 1

I have configured a Cisco 3550 with IP Routing.
I want to prevent vlan 1 from access vlan 2 and I want to prevent vlan 2 from accessing vlan 1
Say I was using the Ip address range 192.1.15.1 - 192.1.15.254 for Vlan 1 and say I was using the IP address range 192.90.15.1 - 192.90.15.254 for VLAN 2. What would the access-list look like?
henjohn1520Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
You may have a couple choices.

1) If those are the only two VLANs on the switch and you don't want them communicating, simply disable routing with the global command "no ip routing". But that's probably no likely.

2) So create the ACL below will prevent the two VLANs from talking to each other.


access-list 1 deny 192.90.15.0 0.0.0.255
access-list 1 permit any
access-list 2 deny 192.1.15.0 0.0.0.255
access-list 2 permit any

int vlan 1
 ip access-group 1 out
int vlan 2
 ip access-group 2 out

Open in new window

0
henjohn1520Author Commented:
What if I wanted to allow one ip address from vlan 1 to access vlan 2?
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

Don JohnstonInstructorCommented:
The you would add that one address as a permit BEFORE the deny statement of the network.

i.e.

access-list 2 permit 192.1.15.74 0.0.0.0

0
henjohn1520Author Commented:
When I set the permit statment to allow one computer from vlan 1 to access vlan 2, the computer from vlan 1 has access to vlan 2 computers and all vlan 2 computers have access to the one computer from vlan 1 that was given access to vlan 2. Why is that? Could an extended access list be used instead of a standard standard access list.
0
Don JohnstonInstructorCommented:
> When I set the permit statment to allow one computer from vlan 1 to  access vlan 2, the computer from vlan 1 has
> access to vlan 2 computers  and all vlan 2 computers have access to the one computer from vlan 1  that was given
> access to vlan 2.

From your previous post:
>What if I wanted to allow one ip address from vlan 1 to access vlan 2?

I took that to mean ONE computer on vlan to access ALL computers on VLAN 2.

Did you want something different?
0
henjohn1520Author Commented:
Ok. I wasn't sure how it was suppose to work. Just trying to understand how it works. And the reason I need one computer to have access to the other vlan is because I need my computer to be able to logon to maintain the other network.

Thanks for you help.
0
Don JohnstonInstructorCommented:
In order for two-way communications to work, traffic has to flow in BOTH directions.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.